On Sat Jan 6 13:25:08 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sat, 06 Jan 2024 13:06:48 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Sat Jan 6 03:34:43 2024 Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Fri, 5 Jan 2024 23:53:52 +0000 > > > Luis Peromarta via samba <samba at lists.samba.org> wrote: > > > > > > > You think ntp works with samba but it doesn?t. > > > > > > Sorry, but 'ntp' does work, it is the rewrite for more security > > > 'ntpsec' that doesn't seem to work. > > > > > > > > > > > You *must* use chrony. It will take you exactly 5 minutes to get > > > > it up and running. > > > > > > Chrony does seem to work, I just hope they do not follow ntpsec down > > > the same path. > > > > > > The other thing that you have to know, Mark Foley is using > > > Slackware, > > > > > > Rowland > > > > In this case, I think Slackware is not a factor. For one thing, I > > downloaded the ntp 4.2.8p17 source and built it using > > --enable-ntp-signd; not the as-shipped Slackware version. > > > > I was trying to point out that your version of 'ntp' might be okay > because it came from Slackware (which seemingly it doesn't). The > problem with 'ntp' became apparent on Debian 12, where the 'ntp' > package was replaced by the 'ntpsec' package, where 'ntpsec' appears to > be a rewrite of 'ntp' to provide more security. The only problem is > that the connection between Samba and ntp was secure and 'ntpsec' seems > to have broken this and cannot seem to fix it (my understanding, which > may be wrong, is that they haven't a clue how it worked between 'ntp' > and 'Samba', so they do not really know what, if anything, they > removed.). > > My understanding is that if you are using 'ntp' (and not ntpsec), then > it should still work. > > RowlandRight, I've not heard of ntpsec and Slackware ships with ntpd 4.2.8p17. However, I cannot tell whether the as-shipped ntpd is build with --enable-ntp-signd, so I downloaded the sources and built it myself. But, I'll be sure to steer clear of ntpsec! --Mark
After trying all the suggestions in the below listed excerpts from this thread, I've taken time since my last posting on January 6th to continue this issue with the Microsoft forum: https://learn.microsoft.com/en-us/answers/questions/1480474/unable-to-time-sync-with-domain-controller?page=1&orderby=helpful&comment=answer-1411748#newest-answer-comment I likewise had no solution there. So, I image-restored my Windows computer back to before I joined it to the domain. I verified that when connected to the old domain the w32tm /query /source was "mail.hprs.local". I then unjoined that domain and joined to the new domain: hprs.locl. After rebooting and logging in as the domain admin, and without doing anything, the /source was time.windows.com,0x9 whereas I expected (hoped) it would be dc1.hprs.locl as a default per the comments below. I have no time source GPO configured, and did not create one per the advice shown below. However, my Windows computer clearly does NOT default to the DC as the time source as the comments below indicate it should. I am now using chrony as the time server on the DC, also per advice, but I don't think chrony vs. ntpd is the problem. On Windows I get: C:\Users\Administrator.HPRS>w32tm /query /status Leap Indicator: 3(not synchronized) Stratum: 0 (unspecified) Precision: -23 (119.209ns per tick) Root Delay: 0.0000000s Root Dispersion: 0.0000000s ReferenceId: 0x00000000 (unspecified) Last Successful Sync Time: unspecified Source: Local CMOS Clock Poll Interval: 10 (1024s) As I've mentioned, this time synchromization worked perfectly well when this same Windows domain member was connected to the Samba 4.8.2 domain. Does anyone have any idea how I can specify my DC as the time source? Even if I have to hard code this somehow? I have an image backup of the Windows dom. member, so I can try an infinity of things. Thanks --Mark Some snippets from past thread messages for reference: On Thu Jan 4 22:42:38 2024 Sonic <sonicsmith at gmail.com> wrote:> > On Thu, Jan 4, 2024 at 7:46?PM Mark Foley via samb<samba at lists.samba.org> wrote: > > > > I've added a Windows 10 domain member to my Domain. I'm now following the > > procedure in https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member. > > What's going wrong here?> Is there some reason you need a GPO for this? By default the system > should get its time from the DC. > From the page you refer to: > "Windows AD domain members will use any DC as their default time > source. If you have set up ntp on the DC as described on this page, > you usually do not need to reconfigure the clients. Alternative > configuration options for the clients are described below." > > I've only used a GPO to point to a different time server when the DC > is incapable of providing the time service (older DC running in a > container). > ChrisOn Fri Jan 5 01:52:25 2024 Luis Peromarta <lperoma at icloud.com> wrote:> You should not need no GPOa for this. What NTP software are you using ?On Fri Jan 5 03:23:48 2024 Peter Milesson via samba <samba at lists.samba.org> wrote:> > Hi Mark, > > Also, no need to use a GPO for this. The domain members get their time > from a DC anyway. > > HTH, > > PeterOn Fri Jan 5 14:31:40 2024 Peter Milesson via samba <samba at lists.samba.org> wrote:> > On Fri, Jan 5, 2024 at 2:32?PM Mark Foley via sam <samba at lists.samba.org> wrote: > > <snip> I would think the wikis would mention the GPO not being > > needed. > > Did you see the section titles "Default Time Source" in the page you > link to that I quoted previously? The wiki clearly spells it out that > using a GPO is usually unnecessary.> > How do you know you're syncing with the DC?> 'w32tm /query /status' will show you.> > What does your 'w32tm /query /source' give you?> My Windows domain members point to the DC.Chris